The following contains excerpts of an FDA Voice blog post by FDA Commissioner Scott Gottleib.
The U.S. food supply is among the safest in the world. But to keep it safe we must recognize our foods are vulnerable – not just from unintended contamination, but from those who would seek to deliberately do us harm.
Ensuring we’re prepared to minimize the risk of an intentional attack on our food supply is a goal we share with the food industry and consumers.
The Food Safety Modernization Act charges FDA with addressing the burden of foodborne illness by requiring that producers, importers and distributors of food take systematic steps to prevent contamination. Congress passed FSMA with a view of the unique risks posed by a global food supply. Six of FDA’s seven “foundational rules” for FSMA focus on the safe production, storage and transport of human and animal food by addressing conventional food safety hazards.
But a different reality shapes the seventh rule on intentional adulteration. This provision seeks to prevent acts of terrorism meant to harm and kill many people. Food facilities covered by this rule (both domestic and foreign facilities that export to the United States) are required to implement — for the first time — a food defense plan that identifies vulnerabilities and ways to reduce the risk of intentional adulteration.
Congress directed FDA to focus its efforts to prevent intentional adulteration on the highest risks to the food supply. That’s why the Intentional Adulteration Rule primarily covers large food companies whose products reach many people.
Extensive analysis shows that some of the most significant risks are posed by an attack perpetrated by someone who has legitimate access to a facility, perhaps under the guise of an employee. This is why the new rule asks facilities to focus their efforts on processing activities that — if deliberately attacked by a rogue insider — could potentially result in widespread contamination of products.
FDA is committed to making the implementation of the Intentional Adulteration rule as practical and flexible as possible for the food industry. Even though the initial compliance date for the largest businesses is July 2019, more than a year away, I’m taking steps right now to fully understand stakeholder concerns and challenges, and address them.
As part of this fact-finding process, I recently visited the Nestlé Dreyer’s Grand Ice Cream facility in Laurel, Md. My FDA colleagues and I were taken on a tour of the facility, from the receiving dock to the production line to the packaging equipment. It was very helpful for me to see, first hand, the processes and practices Nestlé has in place that could be used to guard against deliberate contamination.
This is new regulatory territory for both FDA and industry. We need to make sure we implement these new requirements in a way that achieves its public health goal, without creating unnecessary burdens or costs on industry. From my interactions, I’ve come to believe there may be misconceptions about how we’re expecting the food industry to implement this rule.
Food facilities covered by the rule will be able to choose from a wide range of options to identify and reduce their vulnerabilities. They have the flexibility to tailor individual options that are cost-effective and make sense for each particular facility.
Many current steps companies take can become important parts of a food defense plan to meet the Intentional Adulteration requirements. However, we also know that there are some areas where additional measures will be needed.
We agree with food companies that the “inherent characteristics” of food production equipment and processes should be considered when conducting a vulnerability assessment. At Nestlé, for example, vats of chocolate with hatches at the ground level can’t be opened without creating a flood of chocolate, which certainly wouldn’t escape notice. Our rules are meant to be practical. In this case, the inherent characteristics of chocolate vats make the ground-level hatches a low area of vulnerability. This means that mitigation steps may not be needed at this point of access.
During discussions with stakeholders, we’ve also heard that some people believe plants might be required to construct vast enclosures for their equipment, invest in advanced computer systems, or reengineer whole processing lines. That’s not the case. We’ve also heard that some companies believe they’ll have to hire more workers for the sole purpose of observing other workers. We don’t believe that’s going to be the case.
Moreover, we’ve also heard concerns that implementing some food defense measures required under the rule may create conditions that negatively impact worker safety, food safety and food quality. During our extensive work with industry to develop the proposed rule, we’ve identified a variety of strategies that are very practical to implement and don’t impact food production or safety of any kind.
And make no mistake, food safety is — and will remain — our first priority. In implementing the requirements of the intentional adulteration rule, we don’t want facilities to take any steps taken that could jeopardize food or worker safety.
I’ve also heard concerns expressed about the potential paperwork requirements associated with the rule and costs associated with monitoring the food defense protective measures required in the rule. We’ll provide examples of how to minimize paperwork and templates for recordkeeping so that costs are kept to a minimum.
We also expect that many of the options for monitoring can be incorporated into an employee’s existing responsibilities. And the frequency of monitoring for some strategies can also be kept to a minimum while still assuring the measures are working, thereby reducing costs.
Part of the feedback that we received during the Nestlé tour was the need for FDA to provide a guidance document to provide clarity on how firms can more easily meet the new requirements. That’s something we’re working on right now. We plan to publish this new guidance document well in advance of the initial compliance date in 2019.
We’ll soon be publishing the first chapters of this three-part draft guidance to focus on important questions I’ve heard. Our hope is that this guidance will help manufacturers focus on those measures that have a meaningful impact on protecting food from intentional adulteration. We plan to publish the remaining two parts of the guidance this summer. The entire draft guidance will be available for public comment.
The first two installments of the guidance focus on the greatest concerns expressed by the food industry and the requirements that drive costs. The first installment includes a simple, cost-effective way to identify the most vulnerable parts of the production process. It details numerous ways to guard against deliberate contamination, including some existing and cost-effective measures, as well as additional ways to monitor the operation to make sure that protections are working. The second installment includes guidance on an additional, detailed, and flexible method to identify a facility’s most vulnerable points.
Finally, the third installment focuses on corrective actions, verifying that the system is working, how to reanalyze the plan and its parts and record keeping.
Protecting Against an Inside Attacker
Importantly, the guidance will also address measures facilities can take to address the risk of an inside attacker. The rule identifies that the greatest risk comes from an inside attacker rather than from an outsider. The new measures require that the assessment of vulnerabilities must consider the potential threat from within a facility.
While the possibility of an inside attacker is hopefully not likely at a particular facility, we’re not talking about a theoretical danger. The threat landscape for intentional adulteration continues to grow regarding an inside attack even since the rule was finalized in 2016.
To take one vivid example: There was a recent report of a foiled terror plot in the United Kingdom that involved an employee at a food manufacturing plant who had been investigating ways to poison supermarket-ready foods.
FDA has worked on food defense assessments for more than a decade in collaboration with food manufacturers, universities, and government partners — including the intelligence and law enforcement communities. Our interactions with intelligence and law enforcement communities have repeatedly indicated that an inside attacker presents the greatest potential danger.
Some existing, protective measures in food facilities, such as perimeter fencing and general visitor protocols, are focused on thwarting an outside threat. These measures are also important. But they don’t address the full scope of risks, including an inside attacker, that must be considered when identifying a facility’s most vulnerable points.
The guidance document will provide examples of how to protect against an inside attacker using a range of measures that can be adapted to best meet individual facility needs. In many cases, food facilities will be able to leverage their existing protections.
Industry has also asked about the availability of training on these new requirements, both for food facilities and regulators. We’re working on both fronts to create training and technical assistance for food facilities that’s consistent with other FSMA-related training. And we’ll be training both federal and state regulators as well.
While intentional adulteration is unlikely, a successful attack could have devastating public health consequences. FDA and the food industry are committed to the overarching goal of protecting consumers from these and other risks.